Subject: Netwatch 2
From: Adam Elkins (i-robot@gci.net)
Date: Sun Feb 09 2003 - 00:01:49 AKST
Ok, it just happened again. Now that it's there, I can better describe it
New mail for root@net_slack has arrived:
---- From: Mail Delivery Subsystem Subject: Returned mail: see transcript for details This is a MIME-encapsulated message--1h9KGxT09600.1044821819/net_slack..
(at the bottom of the screen; 'NetBus from 192.168.1.42 ' which is my main box) When I check the mail, it says:
******************************************************* WARNING MESSAGE from Netwatch 0.9g at Sun Feb 9
Netbus from 192.168.1.42 to 24.237.63.142 with len=40 45 0 0 28 ED 18 0 0 7D 6 36 6A 18 [I don't feel like typing the rest *******************************************************
The table is 4 lines long, but you get the idea. I did a bit more research, and found that Netwatch watches for NetBus/BackOrifice packets. The funny thing is, it's says it's comming from my other slack box. Just out of courisity, I checked the log for Apache on my other box. The ip in the mail was there (24.237.63.142) doing all types of these things: "GET /scripts/root.exe?/c+dir HTTP/1.1" 404 293 There are 9 or so of these, all "GETing different things, including this which seems very odd: "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNN%u909 [i don't feel like typing the rest]
I really don't know what all this means. Can some one could exlplain what going on here?
--------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Sat Feb 08 2003 - 23:59:07 AKST